Proceedings of the XXth Conference of Open Innovations Association FRUCT (Apr 2019)
Critical Information Infrastructures Security Modeling
Abstract
The paper discusses the modeling of various aspects of the security of critical information infrastructures (CII) in the assumption of creating a reference model of CII security in the future. The features of CII in terms of goals and safety criteria based on the analysis of various regulatory and methodically established definitions and descriptions of CII are established. The contradictions arising in the attempts to use the traditional methodology of information security in relation to CII are shown. The problems of using the methods and models of classical risk analysis are discussed, in particular, the impossibility of applying the concept of residual risk to the formation of CII safety objectives. The conclusion is made about the expediency of basing these goals on the exhaustion of possible protective measures (controls and activities), the concept of asymptotic safety management of CII , which guarantees the trend of security growth without its current assessment. Changes in the role and place of the threat model in ensuring the security of CII related to the lack of evidence of the completeness of this model are considered. The attractiveness of using the SDL technique for forming elements of the threat model in the conditions of a specific CII is indicated. The structure of the future reference model of safety of the CII including definition of the purposes and criteria of safety (including functional), multilevel static model of functioning of the CII (including security factors), a dynamic model of the spread of security incidents within the CII, the typology of the result of aggressive manifestations of the CII functioning environment (threat model) and the model (methodology) of the spread of protective activities within the information infrastructure.